[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6

Qing Chang qchang at sri.utoronto.ca
Mon Aug 20 09:13:04 MDT 2012 

we are migrating our standalone Samba sever (3.0.14a) on a Solaris 10 box to
an RHEL 6.3 box.

Testing shows that on Solaris 3.0.14a works with both the OpenLDAP server
we are currently using and the IPA2.2 server as LDAP backend. But 3.5.10-125.el6
on  a RHEL 6.3 box does not work with either.

I can still map a share with 3.5 as owner of the shared directory, but secondary
group ownership does not appear to resolve properly. Below is an excerpt of
log.smbd, removed many noisy lines:
===== log.smbd for samba 3.5 =====
[2012/08/16 12:47:39.499996,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
   init_sam_from_ldap: Entry found for user: qchang
[2012/08/16 12:47:39.528627,  3] passdb/pdb_ldap.c:5215(ldapsam_gid_to_sid)
   ERROR: Got 0 entries for gid 201, expected one
[2012/08/16 12:47:39.822830,  4] auth/auth_sam.c:180(sam_account_ok)
   sam_account_ok: Checking SMB password for user qchang
[2012/08/16 12:47:39.822931,  5] auth/auth_sam.c:162(logon_hours_ok)
   logon_hours_ok: user qchang allowed to logon at this time (Thu Aug 16 16:47:39 2012 )
[2012/08/16 12:47:39.839645,  3] passdb/pdb_ldap.c:3057(ldapsam_enum_group_memberships)
   primary group of [qchang] not found
[2012/08/16 12:47:39.840098,  5] auth/auth_util.c:649(make_server_info_sam)
   make_server_info_sam: made server info for user qchang -> qchang
[2012/08/16 12:47:39.840196,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/08/16 12:47:39.840284,  3] auth/auth.c:265(check_ntlm_password)
   check_ntlm_password: sam authentication for user [QChang] succeeded
[2012/08/16 12:47:39.840916,  5] auth/auth.c:291(check_ntlm_password)
   check_ntlm_password:  PAM Account for user [qchang] succeeded
[2012/08/16 12:47:39.840994,  2] auth/auth.c:304(check_ntlm_password)
   check_ntlm_password:  authentication for user [QChang] -> [QChang] -> [qchang] succeeded
[2012/08/16 12:47:39.841072,  5] auth/auth_util.c:2119(free_user_info)
   attempting to free (and zero) a user_info structure
[2012/08/16 12:47:39.841148, 10] auth/auth_util.c:2123(free_user_info)
   structure was created for QChang
[2012/08/16 12:47:39.846308,  4] passdb/pdb_ldap.c:2562(ldapsam_getgroup)
   ldapsam_getgroup: Did not find group, filter was 
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
[2012/08/16 12:47:39.852131,  3] auth/token_util.c:467(create_local_nt_token)
   Failed to fetch domain sid for RESEARCH
[2012/08/16 12:47:39.875509, 10] auth/token_util.c:531(debug_nt_user_token)
   NT user token of user S-1-5-21-3516781642-1962875130-3438800523-41232
   contains 5 SIDs
   SID[  0]: S-1-5-21-3516781642-1962875130-3438800523-41232
   SID[  1]: S-1-1-0
   SID[  2]: S-1-5-2
   SID[  3]: S-1-5-11
   SID[  4]: S-1-22-1-20117
   SE_PRIV  0x0 0x0 0x0 0x0
[2012/08/16 12:47:39.876009, 10] auth/token_util.c:551(debug_unix_user_token)
   UNIX token of user 20117
   Primary group is 201 and contains 0 supplementary groups
[2012/08/16 12:47:39.876370,  3] smbd/password.c:282(register_existing_vuid)
   register_existing_vuid: User name: qchang     Real name: Qing Chang
[2012/08/16 12:47:39.876457,  3] smbd/password.c:292(register_existing_vuid)
   register_existing_vuid: UNIX uid 20117 is UNIX user qchang, and will be vuid 100
[2012/08/16 12:47:39.877319,  3] smbd/password.c:223(register_homes_share)
   Adding homes service for user 'qchang' using home directory: '/home2/qchang'
[2012/08/16 12:47:40.614903,  3] smbd/service.c:1070(make_connection_snum)
   ws62203 connect to service IPC$ initially as user qchang (uid=20117, gid=201) (pid 6951)
=====

pdbedit -L has different output:

===== 3.0.14a =====
Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca
Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca
init_sam_from_ldap: Entry found for user: qchang
=====

===== 3.5.10-125.el6 =====
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
smbldap_search_paged: base => [dc=sri,dc=utoronto,dc=ca], filter => 
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
=====

Here is the smb.conf related to LDAP for both 3.0.14a and 3.5.10-125.el6:
=====
         security = user
         ldap admin dn = "cn=Directory Manager"
         ldap ssl = off
         passdb backend = ldapsam:ldap://ipa1.sri.utoronto.ca
         ldap delete dn = no
         ldap user suffix = cn=users,cn=accounts
         ldap group suffix = cn=groups,cn=accounts
         ldap suffix = dc=sri,dc=utoronto,dc=ca
         ldap passwd sync = Yes
=====

It appears to me that 3.5 tries to be a domain controller be default? Your advice is greatly 
appreciated.

Qing Chang

More information about the samba mailing list